Just when we got used to the term phishing and somewhat savvy about how to spot phishing scams, along come smishing and vishing. What is a wary consumer to do?
In this post, we’re taking a look at all three scams. We hope to help you spot smishing, vishing, and phishing scams in advance so that you’ll be able to keep your identity safe and your money in your pocket.
We’ll begin by defining what smishing, vishing, and phishing are.
Phishing defined
Phishing is when you receive an email that appears legitimate but it’s a false front for criminal activity. The sender might use an email address that looks reputable. Often, they’ll tweak a legitimate company’s email address so it’s impossible to spot the difference.
Scammers might also have information about you that’s true, like your name or address. They take time to research recipients and tailor their communications to specific people, which makes them more believable. They provide that information to convince you that they’re legitimate and get you to provide additional information that they can use to steal your money.
They’re on a phishing expedition. They want your credit card number, PIN, banking information, passwords, your mother’s maiden name, social security number, and any other personal information that can help them make money off your identity.
They’re clever and their emails can be convincing. They often pose as reputable people from legitimate organizations, such as banks and government institutions. They’ll pretend to be an entity you have a relationship with and trust. They’ll also use an urgent tone and a false narrative to get you to click on links. By preying on your emotions, they hope to make it difficult for you to think logically.
These are scare tactics intended to make you act quickly without thinking things through. You might be told you won the lottery, for example, or that your social security benefits have been suspended and you need to act fast to reinstate them.
Once you click on one of their links, you’ll end up at a bogus website where you’ll be asked to provide information, while malicious software (malware) will sometimes be loaded onto your device at the same time. Malware allows thieves to remotely access your passwords and other private information.
How many phishing attacks in 2022?
There were a whopping 255 million phishing attacks in 2022, according to SlashNext, a provider of security for cloud messaging. This represents a 61% increase in phishing attacks compared to 2021.
Phishing has been able to accelerate so fast, says SlashNext, because more and more employees are using their personal devices to communicate for work.
Smishing definition
Smishing is the same kind of scam as phishing but it happens through text (SMS) messages.
Cybercriminals are moving their attacks to mobile devices, says SlashNext, because they’re aware that email usually has protections in place. They’re now focusing on alternative forms of messaging such as texting, Slack, and WhatsApp.
Criminals are also engaging in two-pronged attacks. They’ll send a scam email, for example, and then follow up with a scam text. This can make them appear more legitimate because they have access to more than one piece of information about you. This multi-pronged approach may also make their scam appear more urgent.
Vishing definition
Vishing is the same kind of scam as phishing and smishing, but it happens over the phone, voice email, or VoIP calls. (VoIP calls are voice over internet protocol calls, which enable phone calls over the internet.)
The caller often sounds legitimate and might try to capitalize on the trust you have in certain institutions. For example, they might pose as law enforcement and say that you’re under investigation.
Remember, criminals are sophisticated. They can even trick your caller ID into displaying the name of a seemingly legitimate entity, such as “Cleveland FBI.”
The Federal Bureau of Investigation (FBI) uncovered a scam last year in which criminals called and identified themselves as Deputy John Garrison, an actual U.S. Marshall in Texas. They had his badge number as well. Residents were told they committed an offense, such as failing to report for jury duty, and they had to pay an immediate fine or risk being arrested.
The scammers wanted payment in a form that’s immediate, such as a wire transfer, prepaid debit card, gift card, or cashier’s check. When faced with that request, you need to pay attention. Any demand for payment in the form of a gift card, wire transfer, prepaid debit card, or cash is a sure sign of a scam. Fraudsters prefer these payment methods because they’re hard to reverse and often difficult to track.
According to the Federal Trade Commission (FTC), anyone requesting payment by gift card is ALWAYS a scammer.
In another version of vishing, you might get a phishing email, but you’re asked to reply by phone. You’ll be given a fake customer service number to call, which is actually a VoIP account. When you call, you’ll be prompted to provide your account number, password, and other personal information.
Vishing works well for criminals because VoIP services are inexpensive, and criminals can easily use software to create phony customer service lines.
Scams can be seasonal
Whether it’s a smishing, vishing, or phishing scam, criminals will often tailor their tactics to the seasons. They take advantage of the time of year to impersonate someone you’d expect to hear from, such as an IRS agent around tax time. During the holidays as well, they’ll try to scam you with shopping deals.
How to prevent a scam
It’s important to place less faith in your phone’s caller ID. Imposters can rig that system so that their calls appear to be from a legitimate source.
Try to never call back a number that’s left for you or that appears on your caller ID. Instead, research the organization on the web or elsewhere, find their number, and call that number back.
Banks, for example, provide customers with customer service numbers when they establish their accounts. If you hear from your bank but the call is suspicious, call back the number that you already have for them and describe the phone call you received. They’ll access your account and let you know if there’s a legitimate concern.
Remember that fraudsters can trick caller ID to make their calls appear to be from a legitimate entity. Consider installing a call-blocking app on your smartphone or signing up for a call-blocking service from your service provider.
Legitimate companies will never contact you and ask for sensitive information like your social security number, passwords, PINs, or your mother’s maiden name. At most, they’ll ask for some details about you IF YOU CONTACT THEM. If someone contacts you and starts asking personal questions, hang up the phone or delete their email or text. It’s surely a scam.
Try never to click on a link in an unsolicited email or text. It’s a good habit to not even open them. Before you open an email or text that you didn’t expect to receive, look closely at the email address for misspellings or slight variations on a legitimate company’s name.
If you’ve opened an email or text and think it might be legitimate, search for the company’s contact information on the web and use that information to contact them.
NEVER open an attachment to an email or text from someone you don’t know. Also, be wary of attachments that are forwarded to you. The person who forwarded it might not have scrutinized the attachment and it could contain malware that can harm your device.
Also, try to limit the information you share online. Criminals are constantly scouring the web for personal information that they can use to lure people into providing even more critical information. Also, by sharing the names of pets, birthdays, family members, and others online you’re unknowingly giving scammers leads to what your passwords might be.
Consider setting up multi-factor authentication on your accounts. Your accounts will be more secure because at least two pieces of information will be required from anyone trying to log into them. This will prevent thieves who might only have your password from gaining access.
What to do if you get scammed
You can (and should) report phishing, vishing, and smishing scams to the FBI. The FBI operates a hub for reporting cybercrimes, known as the Internet Crime Complaint Center. You can report scams to them here and remain anonymous if you’d like.
If you clicked on a link in a text or email and think you might have exposed your personal information or device to scammers, you can file a report with the FTC here and they’ll customize a recovery plan for you. If you’ve been contacted by a scammer but didn’t expose your personal information, consider reporting them anyway to the FTC here. Law enforcement refers to the FTC’s database and will bring charges if they notice patterns of abuse.
Immediately change the password on any of your accounts that were exposed to scammers. Also, contact the business where the accounts are held and let them know about the scam. Afterward, monitor your accounts for unauthorized transactions.
It’s also a good idea to contact the three major credit bureaus and ask that fraud alerts be placed on your accounts. You can get free copies of your credit reports and reach out to the credit bureaus here.
You can also contact the consumer protection agency in your state for help. You can find your state agency by searching for it here.
The Department of Justice runs a National Elder Fraud Hotline to help seniors who are victims of financial fraud. You can reach them at 833-FRAUD-11 (833-372-8311).
Finally, consider forwarding unsolicited emails claiming to be from the IRS to phishing@irs.gov. If you received an unsolicited text, take a screenshot of it and attach it in an email to phishing@irs.gov. Remember to delete the original email or text from your device.